Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access

new: PowerShell Web Access Feature Enabled Via DISM
new: PowerShell Web Access Installation - PsScript 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml

@@ -0,0 +1,31 @@
+title: PowerShell Web Access Installation - PsScript
+id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
+status: test
+description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
+    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+author: Michael Haag
+date: 2024-09-03
+tags:
+    - attack.persistence
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_install:
+        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
+    selection_config:
+        ScriptBlockText|contains: 'Install-PswaWebApplication'
+    selection_auth:
+        ScriptBlockText|contains|all:
+            - 'Add-PswaAuthorizationRule'
+            - '-UserName *'
+            - '-ComputerName *'
+    condition: 1 of selection_*
+falsepositives:
+    - Legitimate PowerShell Web Access installations by administrators
+level: high